Monday, June 26, 2017

Originally published on CyberScoop, this is just an archived version for the timeline!

Why a global cybersecurity Geneva convention is not going to happen

Microsoft President and Chief Legal Officer Brad Smith has been pounding the pavement all year asking for a " Cyber Geneva Convention" in the face of threats facing his employer's software and the greater global Internet at large.

It's a pipe dream and I'll tell you why.

Any global effort works best when there are clear answers. There is a clean line between “nuclear war” and “not nuclear war.” The cyber domain is different. While there is some consensus within Microsoft driven by business concerns and hyped as social concerns, there is none within or between global governments. We don’t even know the trade-offs that would be implied by many of the things Microsoft is asking for - a barrier on the trade of “cyber weapons” resulted in massive outcry when it was codified in the Wassenaar Arms Control Arrangement last year, some of which came from the very same people at Microsoft who rightfully realized it would severely slow progress on defensive technology as well.

To put it more clearly, the problem is a fractal. The U.S. Government cannot agree on any one cyber issue, but if you drill down neither can the DoD, and if you go deeper, even the NSA cannot agree with itself on these issues. No matter how far down the chain you go, there are competing initiatives and both sides are right in their own way. This is why we both fund efforts to stand up and break down Tor. When Hillary Clinton was Secretary of State, she gave a speech advocating a censorship-free Internet while also trying to prosecute Julian Assange. Every aspect of the cyber problem is linked and multifaceted, and we come down on both sides of the argument every time.

What Microsoft is driving at is a world where all hacking is off limits for governments forever, and vulnerability research would be strictly controlled in order to prevent it from "getting into the wrong hands." Even if Smith and Microsoft are successful in that endeavor, it would only result in empty words rather than a more secure global society. Aside from the obvious fact that Governments are unlikely to give up the ability to perform cyber operations, and that the lines in cyber are more blurry than a toddler’s finger painting this is the wrong fight for Microsoft to be fighting.

In order to understand why a "global cyber Geneva Convention" would miss the mark, let's look at Microsoft's possible motivations and how we got to this point overall.

The nightmare scenario Microsoft is trying to protect itself from has nothing to do with the Shadow Brokers' EQUATIONBLUE exploit, which was fed into the WannaCry ransomware worm. Keep in mind, every worthy SIGINT team around the world could use their own internal exploits to release two WannaCry-level worms a month in perpetuity until Microsoft could no longer sell their OS.

Beyond that Microsoft has to wonder if the Shadow Brokers has the capability to access internal Microsoft information. The group could leak that information, which would possibly include the giant volumes of vulnerability information in the Microsoft Bug Database, dwarfing anything an intelligence agency had found and exploited.

So while it may be Russia's GRU or some other elite nation-state hacking group, Microsoft — like every other company on the planet — lives at the will of the highly talented and well-financed digital spy apparatus. That's a level of risk that Microsoft would like to wipe off the balance sheet. It is telling that the United States Government cannot protect American businesses from even the smallest, weakest countries, in cyberspace, as Sony Pictures Entertainment demonstrated clearly, partially through policy paralysis.

So for Microsoft to push for a "global cyber Geneva Convention" is a selfish distraction from where governments should be concentrating when it comes to establishing future norms in cyberspace. While Microsoft's efforts here are largely focused on preventing the release or use of software vulnerabilities, our real strategic issues have little to do with software bugs.

One such vulnerable area is cyber economic espionage. What changed with the Chinese-U.S. agreement is not what organizations were targeted or what information was taken from those targets. What changed — in theory at least — is what the Chinese do with that information on their end. Do they give it to competitors of U.S. companies, or do they use it only for strategic intelligence needs, as we hope they do under threat of massive sanctions? In other words, we have no way to police their behavior on this issue by looking at our own systems and networks. This is the kind of international regulation that is essentially on the honor system.

Supply chain attacks are even more dangerous for Microsoft’s businesses. All you have to do is look at Cisco and what they have learned from their routers being trojaned before being delivered to customers. This is an area where Chinese companies also struggle - take Huawei as the prime example, but Anti-Virus company Kaspersky is now fighting for its life in this space as well.

Those two examples of massive policy adjustments waiting to happen just scratch the surface. We haven't even discussed the chaos around cryptographic backdoors, customer data warrants, custom software versions like the "Red Flag" OS Microsoft was forced to build in China, Internet censorship, software export control and data localization.

These topics demonstrate the difficulty of any international agreement that focuses on norms that are very important to our industry, especially in an environment where almost all the real data is cloaked under high levels of classification. But the bigger issue with a "digital Geneva Convention" is that the focus is on vulnerabilities and "hacking" instead of the much bigger questions surrounding the circulatory barrier between private and public interests. You either deal with all of the issues in this area, or none, as they are all interlinked.

While the U.S. government has been quite open about its efforts to help the private sector wherever possible, (VEP, ICOnTheRecord, self-limiting how long we store traffic from foreigners, sanctions efforts, etc.), there's no sign that the world is ready to follow our lead. Shadow Brokers is widely assumed to be a Russian-led effort, yet other governments have been quite aggressive in bypassing any and all norms in the cyber area - even the much touted United Nations and NATO agreements have been about "broad principles," which are unenforceable in any practical way.

Ideally, a "Cyber Geneva Convention" would result in a sustainable global framework that handles these strategic issues. How vulnerabilities are handled is both too small an issue in comparison and unlikely to be followed by the majority of the world's governing bodies. This week, as we face down Russian efforts to attack power plants, recognized norms seem as far away as humans on Mars, no matter how nice they would be for Microsoft’s shareholders.

The painful truth that we would learn from any honest discussion around limits around cyber offensive capabilities is not that the world's governments disagree with each other, but that every government disagrees internally. This is as true in Germany and China, as it is in the U.S. It is also true that corporations’ place in our world and our how our wars are conducted has changed, and that has come with how the internet has changed in how humans organize.

Microsoft has always been a leader when it comes to information security, and this is as true with the legal issues surrounding them as it is technologically. A Global Cyber Geneva Convention is never going to happen, and we should not treat the idea as if it was a realistic way forward until we, internally, can agree on a single and coherent position.

Tuesday, June 20, 2017

For all the talk of realtime when it comes to cyber defense, cyber offense is a turn-based strategy game. This is because most investment in cyber offense take years to develop, and you only get to know if that investment was worth it at the end.

While obviously the United States and other players are doing continual development, it's mostly on established platforms. But truly new platforms are a five year maturity cycle away. Not only that, but that maturity level of certain platforms hits punctuated equalibriums.

I want to relate a story Rag Tagg tells, (yes, click the link and listen for a sec) about Quake. Many of you might remember quake, but for those of you who don't, this was the first time some gamers rose to the top and really could demonstrate to the whole world their dominance in player-vs-player deathmatch-style gaming.

Thresh was the first one anyone heard about in the real world. Not only did he have an etymologically cool name, but he dominated the early deathmatch scene by shooting people with rockets out of the air and developing map strategies that at the time seemed advanced but now are as primitive and useful as a Tuatara's third eye.

But what Rag Tagg points out is that long after everyone else left the Quake DM scene, some core group of fanatics developed an entirely new strategy around the lightning gun. The game hadn't changed at all, but people realized with enough skill at a weapon previously just thought to be useless special-purpose trash, they could change the strategic dynamic completely.

"The principals never changed, but the players that stayed, they ... learned things."

Let me talk briefly about RATs now. If you look at most of them, Meterpreter, for example, you'll see that you have an operator, and then they type a command, which then gets sent over some synchronous link and then the response is sent back. This kind of "ping-pong" operator model is simple to understand and keep in your head. It is like a terminal.

But INNUENDO and all modern tools are built on an asynchronous model, which makes their operation model and corresponding strategy as different from Meterpreter as a lightning gun from a rocket launcher. If you are building all your defenses against Meterpreter-style synchronous tools, then nothing you do will work against the newer generation of platforms.

I say "modern" but INNUENDO was ramped up Feb 13, 2013 - just to give a picture of the level of foresight you need when building offensive programs and what a realistic timeline is. One of the reasons smaller countries are going to want to be a part of a larger cyber security umbrella is that they cannot afford for their investments to be in the wrong area or on the wrong platforms.

Wednesday, June 14, 2017

There are two real possibilities for combating botnets on the Internet. One is to play core-wars, which requires legal setups that allow us to launch beneficial worms which patch vulnerabilities. I can see most policy-types shaking their heads at how difficult this would be to do, but it is a technically workable option.

The other method is to build a resilient internet - by which we do not mean an internet free of vulnerabilities, but one free of centralized choke points that can be targeted by massive traffic attacks.

DNS is the primary pain-point, but also one the government likes having around because it allows for centralized governmental control. Imagine if everyone was on a decentralized domain system, and the FBI could not "seize" domains. This is the price you pay for resilience. To be fair, I don't think we really want it. :)

Tuesday, June 13, 2017

I went to this talk today at EmergeAmericas, a business conference a few blocks from my house put together by the movers and shakers of Miami. It had an eclectic crowd of people. But one of the speakers was a bit of a surprise because I'd never seen him speak before, Ambassador Henry Crumpton.

Look at this talk and tell me what it's about:

What is this about? ANYTHING?

Anyways, I had low expectations based on the abstract. But the talk itself was great in the way all great talks are. It was a stampede through his life, which was fascinating and involved negotiations with Afghan warlords and other tide turners. And one thing he highlighted was the continual massive amount of continuity bias he saw everywhere he went, even when obviously things were changing about as fast as they possibly could.

This is nowhere more true than in every defense talk where they go on and on about how the attacker only has to find one hole, but the defender has to patch them all.

Yes, looks like they are doing REAL well at maintaining invisibility, eh?

Look, here's the thing. I read every incident response report that MS and FireEye and Crowdstrike and Endgame and everyone else puts out. PLATINUM looks like a no-holds barred good team. It's not a team that got caught from a leak. They got caught from a commercial, reasonably priced, incident response technology. What if network defense technology is starting to work?

What I'm saying is that it would be a massive mistake for US Strategic Policy to assume that Microsoft or QiHoo360 can't built a security fabric that stops exploitation even on buggy systems with nation-state 0day and techniques. We need to be careful when we design things like the VEP that we don't castrate our strategic intelligence needs.

When you start out hacking, you always hack things that move and go boom because that's the toddler in you coming out, and nothing is more hacker-like than the pure uncontrolled Id.

But if you want to cause real human suffering in an advanced state, manipulating data in a criminal court system is probably the way to go? Once you've planted emails that show prejudice, all you have to do is allow normal discovery to take place - no data exfiltration scheme needed!

I mean, a wise person does not have a house anywhere under a major national dam's flood plane in this day and age. You pretty much have to assume they're all hacked and probably with malware written by a few different countries lowest possible bidders.

But that said: Criminal systems. They combine a need for perfect trust with high impact on society, and weak protections.

Thursday, June 8, 2017

There's a whole class of individuals out there with no real job description because "Cyber Warrior" sounds pretentious as hell. But that's as close as we get, and the most important thing they do is pick targets.

What cyber war attacks best is ideologies. But "ideology" is a fuzzy term. So what I like to use to predict fruitful (haha) areas of research is essentially a combination of "hypocrisy" and "industry based on illusion". In other words, how do you get the biggest bang for your buck by manipulating or releasing information? First, your opponent must be off-balance in some way, like how the DNC was, to anyone with the right eyes.

The massive food distribution network is well within the risk area of this kind of analysis. No doubt, when federal policy teams get around to it, they will try to classify it all as "critical infrastructure", which is what they do when scared.

We don't have a TON of real research in the open space on how to find areas where you have a lot of leverage for cyber war effects. People sort of run from one exciting moment to another. Yesterday, car hacking is hot! Today, political hacking and info-war!

But just to start by adding some propane to the fire:

Food distribution combines these fun things (collect them all!):

Massive, distributed, country sized wireless networks

Full of special purpose old hardware and software with complex supply chains and basically no forensic capability

Where any level of UNCERTAINTY, let alone visual physical effect, can cause mass disruptions. You don't have to poison every grape - just ONE GRAPE - in order to make all the grapes worthless

No long history of massive security investment (unlike, say, the financial sector)

When you look at strategy in combat or gaming there's a lot of talk of the "meta". In other words, under a given ruleset, what are the best-fit resource allocations for success? But what you see with champions is they almost always go OFF META. Because the true meta is always surprise. With cyber it is no different. Russia's plans worked because they were a surprise. And our response, as well, must be.